The Storm botnet strikes again

Once upon a time, the Storm botnet was responsible sending out 20 percent of all spam, but was eventually crippled by the rise of new malicious software removal tools. By the end of 2008, it was thought to be defunct.

But, according to CA researchers, the botnet is trying to raise itself from the grave. The Storm worm is again infecting PCs all over the world by way of a downloader Trojan that, among other things, also downloads fake AV variants onto the compromised computer.

Once the worm is installed, it gets in touch with its spam bot server via http POST command. The server responds with the command and sends the data needed for manufacturing spam emails – a long list of spam email templates such as this one:

The spam emails in question typically belong to one of these four groups: online pharmacy, adult dating, celebrity scandals, or impotency related spam.

It is, of course, impossible to say if the people behind this new Storm botnet are the ones that ran the original one. “The characteristics and behaviors are very much Storm-related in terms of the command and control and the mechanism that it uses to identify the content of the mail messages and who and how to send them,” said the head of CA’s research team when interviewed by The Register.

It remains to be seen if the original design flaw that enabled researchers to disrupt the worm’s links to its C&C centers is still present.